Re: [Ietf-http-auth] submitted draft-oiwa-http-mutualauth-01.txt
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 06 December 2007 08:33 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: ietf-http-auth@osafoundation.org
Delivered-To: ietf-http-auth@osafoundation.org
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by leilani.osafoundation.org (Postfix) with ESMTP id 9EE3480C86 for <ietf-http-auth@osafoundation.org>; Thu, 6 Dec 2007 00:33:09 -0800 (PST)
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id AFF5C1422F0 for <ietf-http-auth@osafoundation.org>; Thu, 6 Dec 2007 00:33:10 -0800 (PST)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
X-Spam-Score: -1.732
X-Spam-Level:
X-Spam-Status: No, score=-1.732 tagged_above=-50 required=4 tests=[AWL=0.867, BAYES_00=-2.599]
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HvO3JO+dh-5k for <ietf-http-auth@osafoundation.org>; Thu, 6 Dec 2007 00:33:04 -0800 (PST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by laweleka.osafoundation.org (Postfix) with ESMTP id BE048142207 for <ietf-http-auth@osafoundation.org>; Thu, 6 Dec 2007 00:33:04 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id lB68X3cx021381 for <ietf-http-auth@osafoundation.org>; Thu, 6 Dec 2007 08:33:03 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id lB68X2p7062997 for <ietf-http-auth@osafoundation.org>; Thu, 6 Dec 2007 01:33:03 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id lB68X22c008668; Thu, 6 Dec 2007 02:33:02 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id lB68X1UM008667; Thu, 6 Dec 2007 02:33:01 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 06 Dec 2007 02:33:01 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Subject: Re: [Ietf-http-auth] submitted draft-oiwa-http-mutualauth-01.txt
Message-ID: <20071206083301.GC8628@Sun.COM>
References: <87wss4oisd.fsf@bluewind.rcis.aist.go.jp> <CC3546AB-A060-44CB-8064-9B30F675134C@gbiv.com> <20071127053732.075BC33C21@delta.rtfm.com> <191786E3-2734-481F-BF75-45F06A4CB8F0@gbiv.com> <474BDEED.9050809@cisco.com> <tslzlwxc33i.fsf@mit.edu> <20071129003519.GF2540@Sun.COM> <20071205235420.GA8344@Sun.COM> <D2173231-7459-4A0C-9F51-F77EA8D86FD4@gbiv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D2173231-7459-4A0C-9F51-F77EA8D86FD4@gbiv.com>
User-Agent: Mutt/1.5.7i
Cc: ietf-http-auth@osafoundation.org, Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: ietf-http-auth@osafoundation.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-http-auth.osafoundation.org
List-Unsubscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=unsubscribe>
List-Archive: <http://lists.osafoundation.org/pipermail/ietf-http-auth>
List-Post: <mailto:ietf-http-auth@osafoundation.org>
List-Help: <mailto:ietf-http-auth-request@osafoundation.org?subject=help>
List-Subscribe: <http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth>, <mailto:ietf-http-auth-request@osafoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2007 08:33:09 -0000
On Wed, Dec 05, 2007 at 04:07:33PM -0800, Roy T. Fielding wrote: > It would be a lot more useful to have a paper or small set > of references that explains why all these assertions are > believed to be true. If you have such a thing, please post it. Let me give some context that might help: - First, my presentation was very strongly influenced by draft-hartman-webauth-phishing-06.txt. - Second, my primary message to the Liberty folks was this: SAML, CardSpace, OpenID, etcetera, all such web authentication frameworks will fail to prevent phishing if the don't ensure that the server that the browser is connected to is not an MITM, because if phishers cannot steal authentication credentials but can still get in the middle, then they can still steal from users (e.g., by surreptitiously making bank transfers). Phishers will mount MITM attacks if that's all they can do. - Third, my secondary message, was about UIs and federations. This I did not deliver quite so succinctly, but that's fine given that the target audience focus on the protocol aspects of web authentication. I also had very limited time to present. This secondary message is based on an insight I got from Sam: that in the face of confusables and so on, the only thing that untrained users can rely on is their expectations of what they should find at some website. E.g., at your bank's site you expect a login page, and once logged in you expect to see specific account balances. Now, such expectations alone cannot defeat phishers who are mounting an MITM attack, and anyways, once the user gives their credentials to the phisher the game is lost anyways. The next step is to reinforce the process by adding authentication and MITM detection to try to address that problem, but we still need to provide something that can meet expectations and in a way that the phisher gets nothing useful. The next insight is that if we have lots of smallish federations around, then the thing that the user can expect at any one site, such as their bank, is that the browser will have authenticated them as a specific identity. Users already expect to see the authenticated name of the server in their browser status bar + lock icon, but this alone is not enough as there may be confusables and CAs/registrars cannot help as much as we'd like. But small federations, by virtue of being small, can much more easily prevent sites with confusable names from participating than CAs/registrars can. The UI element I have in mind is a status-bar-like element that shows the federation used to do authentication (and possibly also the user's identity in that federation). - To summarize: federation + a UI element showing the user's identity as authenticated to the server + mutual user<->server authentication + MITM prevention/detection = a decent solution to phishing. The (federation + UI element showing... + mutual auth) part deals with non-MITM phishers. The MITM prevention/detection part rounds out the picture. - There are several ways to detect/prevent MITMs in these apps (which, today, pretty much all use TLS). Three of these are: - push authentication down into TLS - get rid of TLS and push cryptographic session protection up to the application layer - use channel binding of authentication at the application layer to the TLS channels making up the session Of these I believe the channel binding solution is the best. But given the efforts to add GSS-API support to TLS I think we cannot discount the first item either. Finally, in the OASIS WSS TC / SOAP world I wouldn't discount the push-session-crypto-up approach. - Note that the federation enrolment case can still be susceptible to phishing. I.e., this scheme, if it works, pushes the opportunity for phishing to an area that's much less frequent that normal user web browsing activity. Nico --
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eric Rescorla
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Roy T. Fielding
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Yutaka OIWA
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Chris Newman
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Nicolas Williams
- [Ietf-http-auth] submitted draft-oiwa-http-mutual… Yutaka OIWA
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Sam Hartman
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Roy T. Fielding
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Robert Sayre
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Eric Rescorla
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Robert Sayre
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Eric Rescorla
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Robert Sayre
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Eric Rescorla
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Eric Rescorla
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eric Rescorla
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eliot Lear
- Re[4]: [Ietf-http-auth] submitted draft-oiwa-http… Chris Drake
- Re: Re[2]: [Ietf-http-auth] submitted draft-oiwa-… Robert Sayre
- Re[2]: [Ietf-http-auth] submitted draft-oiwa-http… Chris Drake
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Roy T. Fielding
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eliot Lear
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Roy T. Fielding
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Roy T. Fielding
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Yutaka OIWA
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eric Rescorla
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eric Rescorla
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Nicolas Williams
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Nicolas Williams
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Roy T. Fielding
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Nicolas Williams
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Nicolas Williams
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Eric Rescorla
- Re: [Ietf-http-auth] submitted draft-oiwa-http-mu… Alexey Melnikov